public static void AgreeWithWrongKey(KeyAgreementAlgorithm a)
{
using (var k = new Key(SignatureAlgorithm.Ed25519))
{
Assert.Throws <ArgumentException>("key", () => a.Agree(k, null));
}
}
public static void AgreeSelf(KeyAgreementAlgorithm a)
{
using var k = new Key(a);
using var s = a.Agree(k, k.PublicKey) ?? throw new Xunit.Sdk.NotNullException();
Assert.NotNull(s);
Assert.Equal(a.SharedSecretSize, s.Size);
}
public static void AgreeWithNullPublicKey(KeyAgreementAlgorithm a)
{
using var k = new Key(a);
Assert.Same(a, k.Algorithm);
Assert.Throws <ArgumentNullException>("otherPartyPublicKey", () => a.Agree(k, null !));
}
public static void AgreeSelf(KeyAgreementAlgorithm a)
{
using (var k = new Key(a))
using (var s = a.Agree(k, k.PublicKey))
{
Assert.NotNull(s);
Assert.Equal(a.SharedSecretSize, s.Size);
}
}
private bool IsSupportedAlgorithm(KeyAgreementAlgorithm algorithm, ReadOnlyMemory <byte> expectedPVal, ReadOnlyMemory <byte> actualPVal)
{
if (!this.SupportedKeyAgreementAlgorithms.Contains(algorithm))
{
return(false);
}
return(expectedPVal.Span.SequenceEqual(actualPVal.Span));
}
public static void AgreeWithWrongPublicKey(KeyAgreementAlgorithm a)
{
using var k1 = new Key(a);
using var k2 = new Key(SignatureAlgorithm.Ed25519);
Assert.Same(a, k1.Algorithm);
Assert.NotSame(a, k2.Algorithm);
Assert.Throws <ArgumentException>("otherPartyPublicKey", () => a.Agree(k1, k2.PublicKey));
}
public static void AgreeWithDisposedKey(KeyAgreementAlgorithm a)
{
using (var k2 = new Key(a))
{
var k1 = new Key(a);
k1.Dispose();
Assert.Throws <ObjectDisposedException>(() => a.Agree(k1, k2.PublicKey));
}
}
public static void AgreeSuccess(KeyAgreementAlgorithm a)
{
using var k1 = new Key(a);
using var k2 = new Key(a);
using var s1 = a.Agree(k1, k2.PublicKey) ?? throw new Xunit.Sdk.NotNullException();
Assert.NotNull(s1);
Assert.Equal(a.SharedSecretSize, s1.Size);
using var s2 = a.Agree(k2, k1.PublicKey) ?? throw new Xunit.Sdk.NotNullException();
Assert.NotNull(s2);
Assert.Equal(a.SharedSecretSize, s2.Size);
}
public static void AgreeSuccess(KeyAgreementAlgorithm a)
{
using (var k1 = new Key(a))
using (var k2 = new Key(a))
using (var s1 = a.Agree(k1, k2.PublicKey))
using (var s2 = a.Agree(k2, k1.PublicKey))
{
Assert.NotNull(s1);
Assert.Equal(a.SharedSecretSize, s1.Size);
Assert.NotNull(s2);
Assert.Equal(a.SharedSecretSize, s2.Size);
}
}
public Task <IExchangeKey> RetrieveKeyCache(KeyAgreementAlgorithm algorithm)
{
if (keyCache.TryGetValue(algorithm, out IExchangeKey key))
{
if (key.CacheExpiry < DateTimeOffset.UtcNow)
{
keyCache.Remove(algorithm);
}
else
{
return(Task.FromResult(key));
}
}
return(Task.FromResult <IExchangeKey>(null));
}
public IExchangeKey RetrieveKeyCache(KeyAgreementAlgorithm algorithm)
{
if (keyCache.TryGetValue(algorithm, out IExchangeKey key))
{
if (key.CacheExpiry < DateTimeOffset.UtcNow)
{
keyCache.Remove(algorithm);
}
else
{
return(key);
}
}
return(null);
}
public static void CreateKey(KeyAgreementAlgorithm a)
{
using var k = new Key(a, new KeyCreationParameters { ExportPolicy = KeyExportPolicies.AllowPlaintextArchiving });
Assert.Same(a, k.Algorithm);
Assert.True(k.HasPublicKey);
Assert.NotNull(k.PublicKey);
Assert.Same(a, k.PublicKey.Algorithm);
Assert.Equal(a.PublicKeySize, k.PublicKey.Size);
Assert.Equal(a.PrivateKeySize, k.Size);
var actual = k.Export(KeyBlobFormat.RawPrivateKey);
var unexpected = new byte[actual.Length];
Utilities.Fill(unexpected, actual[0]);
Assert.NotEqual(unexpected, actual);
}
public static void Properties(KeyAgreementAlgorithm a)
{
Assert.True(a.PublicKeySize > 0);
Assert.True(a.PrivateKeySize > 0);
Assert.True(a.SharedSecretSize > 0);
}
internal static async Task RequestAndValidateTickets(
KdcListener listener,
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null,
string spn = FakeAppServiceSpn,
KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14
)
{
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, user)
{
KeyAgreement = keyAgreement
};
}
else if (keytab != null)
{
kerbCred = new KeytabCredential(user, keytab);
}
else
{
kerbCred = new KerberosPasswordCredential(user, password);
}
KerberosClient client = CreateClient(listener, overrideKdc, caching: caching);
using (client)
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = ApOptions.MutualRequired,
S4uTarget = s4u
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn);
}
}
internal static async Task RequestAndValidateTicketsWithCaches(
KdcListener listener,
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null,
string spn = FakeAppServiceSpn,
KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14,
bool allowWeakCrypto = false,
bool useWeakCrypto = false,
bool mutualAuth = true,
KrbTicket s4uTicket = null,
bool useKrb5TicketCache = false
)
{
KerberosCredential kerbCred;
if (cert != null)
{
kerbCred = new TrustedAsymmetricCredential(cert, user)
{
KeyAgreement = keyAgreement
};
}
else if (keytab != null)
{
kerbCred = new KeytabCredential(user, keytab);
}
else
{
kerbCred = new KerberosPasswordCredential(user, password);
}
KerberosClient client = CreateClient(
listener,
overrideKdc,
caching: caching,
allowWeakCrypto: allowWeakCrypto,
useWeakCrypto: useWeakCrypto,
useKrb5TicketCache: useKrb5TicketCache
);
using (kerbCred as IDisposable)
using (client)
{
if (!includePac)
{
client.AuthenticationOptions &= ~AuthenticationOptions.IncludePacRequest;
}
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
await client.RenewTicket();
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0
}
);
await ValidateTicket(ticket, encodeNego, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
ticket = await client.GetServiceTicket(
new RequestServiceTicket
{
ServicePrincipalName = spn,
ApOptions = mutualAuth ? ApOptions.MutualRequired : 0,
S4uTarget = s4u,
S4uTicket = s4uTicket
}
);
await ValidateTicket(ticket, includePac : includePac, spn : spn, mutualAuth : mutualAuth);
}
if (user.Contains("-fallback"))
{
Assert.AreEqual(PrincipalNameType.NT_PRINCIPAL, kerbCred.PrincipalNameType);
}
else
{
Assert.AreEqual(PrincipalNameType.NT_ENTERPRISE, kerbCred.PrincipalNameType);
}
}
internal static async Task RequestAndValidateTickets(
KdcListener listener,
string user,
string password = null,
string overrideKdc = null,
KeyTable keytab = null,
string s4u = null,
bool encodeNego = false,
bool caching = false,
bool includePac = true,
X509Certificate2 cert = null,
string spn = FakeAppServiceSpn,
KeyAgreementAlgorithm keyAgreement = KeyAgreementAlgorithm.DiffieHellmanModp14,
bool allowWeakCrypto = false,
bool useWeakCrypto = false,
bool mutualAuth = true,
KrbTicket s4uTicket = null
)
{
await RequestAndValidateTicketsWithCaches(
listener,
user,
password,
overrideKdc,
keytab,
s4u,
encodeNego,
caching,
includePac,
cert,
spn,
keyAgreement,
allowWeakCrypto,
useWeakCrypto,
mutualAuth,
s4uTicket
);
if (caching)
{
await RequestAndValidateTicketsWithCaches(
listener,
user,
password,
overrideKdc,
keytab,
s4u,
encodeNego,
caching,
includePac,
cert,
spn,
keyAgreement,
allowWeakCrypto,
useWeakCrypto,
mutualAuth,
s4uTicket,
useKrb5TicketCache : true
);
}
}
public static void AgreeWithNullKey(KeyAgreementAlgorithm a)
{
Assert.Throws <ArgumentNullException>("key", () => a.Agree(null, null));
}
